ARBAC Policy for a Large Multi-National Bank

Administrative role-based access control (ARBAC) is the first comprehensive administrative model proposed for role-based access control (RBAC). ARBAC has several features for designing highly expressive policies, but current work has not highlighted the utility of these expressive policies. In this report, we present a case study of designing an ARBAC policy for a bank comprising 18 branches. Using this case study we provide an assessment about the features of ARBAC that are likely to be used in realistic policies

Analyzing temporal role based access control models

Today, Role Based Access Control (RBAC) is the de facto model used for advanced access control, and is widely deployed in diverse enterprises of all sizes. Several extensions to the authorization as well as the administrative models for RBAC have been adopted in recent years. In this paper, we consider the temporal extension of RBAC (TRBAC), and develop safety analysis techniques for it. Safety analysis is essential for understanding the implications of security policies both at the stage of specification and modification. Towards this end, in this paper, we first define an administrative model for TRBAC. Our strategy for performing safety analysis is to appropriately decompose the TRBAC analysis problem into multiple subproblems similar to RBAC. Along with making the analysis simpler, this enables us to leverage and adapt existing analysis techniques developed for traditional RBAC. We have adapted and experimented with employing two state of the art analysis approaches developed for RBAC as well as tools developed for software testing. Our results show that our approach is both feasible and flexible

Forensic Analysis in Access Control: a Case-Study of a Cloud Application

We discuss a case-study we have conducted on forensic analysis in access control. The case-study is an application in the Amazon Web Services (AWS) cloud provider. Forensic analysis is the investigation and analysis of evidence of possible wrongdoing. Access control is used to regulate accesses to computing resources. Both forensic analysis and access control are recognized as important aspects of the security of a system. We first argue that posing the forensic analysis problem in the context of access control is meaningful and useful towards the security of a system. We then summarize results on the computational hardness of the forensic analysis problem for two access control schemes from the research literature. We point out that these results suggest that meaningful logging information can render forensic analysis tractable, even efficient. We then instantiate the forensic analysis in access control problem in the context of a cloud application. A cloud application is a software service that can be accessed over the Internet and uses computing resources provided by a cloud provider. A cloud provider provides computing tools and services that can be administered over the Internet. The cloud provider we have adopted is AWS, and the application is ``Hello Retail'', an image-sourcing application for online retailers. In addressing forensic analysis in this context, our particular focus is the manner in which logging information can be leveraged. We ask two kinds of questions: (i) is particular logging information from AWS necessary to answer forensics analysis questions of interest, and, (ii) is particular logging information sufficient? We observe that from the standpoint of (i), default AWS logs have considerable redundancy. We propose an algorithm to prune logs for efficient forensic analysis. From the standpoint of (ii), we observe that it is not possible to definitively answer "yes" or "no" to forensic analysis questions of interest given only the information AWS permits us to log. We identify additional logging information that, if available, would be sufficient. Together, (i) and (ii) provide us with "goal-directed logging". We conclude by reiterating the benefits of forensic analysis in access control, and with suggestions for goal-directed logging in cloud systems

Secrecy Resilience of Authorization Policies and Its Application to Role Mining

We propose and study a new property that we call secrecy resilience in the context of authorization policies that are used to secure information systems. An authorization policy expresses whether a principal (e.g., a user or process) is allowed to exercise a privilege (e.g., read or write) on a resource (e.g., a device or file). Access control is a process by which authorizations are enforced. We address the problem that disclosure of portions of an authorization policy is a threat that needs to be mitigated and argue that the ease with which an adversary can learn such portions of a policy can be a property of the policy itself. We then introduce the term secrecy resilience as a quantitative measure of the computational hardness that such an adversary encounters. We instantiate secrecy resilience for authorization policy which could be expressed as access control policy and Role-Based Access Control (RBAC) policy, and more specifically, consider the problem of role mining, in which a policy expressed as an access matrix is converted to a RBAC policy. We present a number of analytical results while highlighting that underlying assumptions we make, with regards to a priori knowledge an adversary has, is an important consideration in any such analysis. We present also our results from an empirical study of role mining algorithms from the literature and two new ”baseline” algorithms we propose. The results of our study suggest that when secrecy resilience is the objective, a role mining algorithm that performs well along a different criterion for goodness, e.g., minimization of roles (e.g., RBAC policy generated by User-Role Miner), does not necessarily perform well for some disclosure events. Moreover, under the assumptions we made for empirical study, for the disclosure event that the victim user has a role from the adversary, Permission-Role Miner is the best role mining algorithm from the standpoint of secrecy resilience

TACKLING INSIDER THREATS USING RISK-AND-TRUST AWARE ACCESS CONTROL APPROACHES

Insider Attacks are one of the most dangerous threats organizations face today. An insider attack occurs when a person authorized to perform certain actions in an organization decides to abuse the trust, and harm the organization by causing breaches in the confidentiality, integrity or availability of the organization’s assets. These attacks may negatively impact the reputation of the organization, its productivity, and may incur heavy losses in revenue and clients. Preventing insider attacks is a daunting task. Employees need legitimate access to effectively perform their jobs; however, at any point of time they may misuse their privileges accidentally or intentionally. Hence, it is necessary to develop a system capable of finding a middle ground where the necessary privileges are provided and insider threats are mitigated. In this dissertation, we address this critical issue. We propose three adaptive risk-and-trust aware access control frameworks that aim at thwarting insider attacks by incorporating the behavior of users in the access control decision process. Our first framework is tailored towards general insider threat prevention in role-based access control systems. As part of this framework, we propose methodologies to specify risk-and-trust aware access control policies and a risk management approach that minimizes the risk exposure for each access request. Our second framework is designed to mitigate the risk of obligation-based systems which are difficult to manage and are particularly vulnerable to sabotage. As part of our obligation-based framework, we propose an insider-threat-resistant trust computation methodology. We emphasize the use of monitoring of obligation fulfillment patterns to determine some psychological precursors that have high predictive power with respect to potential insider threats. Our third framework is designed to take advantage of geo-social information to deter insider threats. We uncover some insider threats that arise when geo-social information is used to make access control decisions. Based on this analysis, we define an insider threat resilient access control approach to manage privileges that considers geo-social context. The models and methodologies presented in this dissertation can help a broad range of organizations in mitigating insider threats